DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Years later, Marriott admits data were not encrypted before its 2018 data breach. Now what?

Posted on May 4, 2024 by Dissent

What might happen to a company that has been making false claims about its system security for more than five years after experiencing a massive data breach? Will state attorneys general, the SEC, and the FTC investigate and possibly penalize them for a significant misrepresentation to consumers and regulators?

CSO Online has a significant update concerning litigation against Marriott over the 2018 breach that affected hundreds of millions of customers:

For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.

In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.

During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.”

The Correction

Read more of Evan Schuman’s report on CSO Online. Schuman notes that in response to the judge’s order, Marriott didn’t even issue a new post on its site or any notice to call attention to the correction. They merely silently edited their original website notice to add two sentences:

Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).

[Note: Marriott’s original statement on their web page had been reported on DataBreaches.]

Now What?

Schuman notes out that the admission of no encryption years later raises a whole host of questions that have yet to be answered.

Did Marriott get reimbursed by their insurance carrier because they claimed the data had been encrypted?

Will the Securities and Exchange Commission have something to say about misleading investors by claiming encryption when it wasn’t used?

How is it that this wasn’t discovered and corrected in 2019 or 2020 at the latest? Why is this first coming out now?

Were there other lawsuits that were dismissed because of Marriott’s claim that data were encrypted? Were there other potential plaintiffs who did not sue because they relied upon Marriott’s claim of encryption?

Was this an innocent mistake on Marriott’s part or not?


Correction: The Marriott page does note an update on it — I missed it because I was looking at the bottom of the page and it was on top. Thanks to Evan Schuman for catching my error. A sentence commenting that there was no note of update has since been removed, although it is still a silent update on a years’ old notice — Dissent.

Category: Business SectorHack

Post navigation

← CISA’s KEV catalog making a positive difference to defenders
Forensic reports are NOT privileged — Ontario Divisional Court →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware
  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.